DevSecOps: What enterprises need to know
We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 — 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!
As technology grows ever more complex, so too do the security methods meant to safeguard and shield it.
Existing security issues are ever-present and evolving, and new problems continuously emerge, calling for increasingly advanced cybersecurity measures – DevSecOps being one of them.
DevSecOps is defined as the practice of addressing development, security, and operations simultaneously through the full application lifecycle.
“Data security considerations are addressed throughout the pipeline instead of just at the end,” said Meredith Bell, CEO of DevSecOps platform company AutoRABIT.
“This is to ensure that security vulnerabilities are found and addressed with the same quality, scale and speed as development and testing processes,” as well as to help assure that every update supports a stable system, he said.
Mike O’Malley, SVP of strategy for IT services company SenecaGlobal, agreed that “it means thinking about application and infrastructure security from the start.”
The efforts of cybersecurity and software development are combined, he said, so that security is integrated into every phase of the software development lifecycle – from initial design through integration, testing, deployment and software delivery.
In some cases, companies are incorporating security measures even earlier in the development cycle – a sort of “pre-step before devops,” or as O’Malley called it, “PlanSecOps.”
“So, security is not only being built in during the development, it’s being built into frameworks even before (developers) begin to code,” he said.
DevSecOps and devops overlap
Still, there is no industry standard definition or approach to DevSecOps, said Gartner VP analyst George Spafford – making it much like devops, from which it stems.
The term devops was coined roughly a decade ago, and the concept involves combining software development and IT operations. The end goal of this is to shorten systems development lifecycles and provide continuous delivery and high software quality. Devops, in turn, encompasses several aspects of the agile methodology, which involves breaking projects into several phases to allow for ongoing collaboration and improvement.
As Spafford noted, “DevSecOps is still devops, but it is explicitly stating that Information Security must be collaborated with, and the needed controls to mitigate risk must be factored in.”
The advantages are the same as devops, assuming organizations factor in “all of the stakeholders” – that is, the improved capability to deliver customer value at the cadence/speed the customer needs while managing risk.
Agile development and devops/DevSecOps can be powerful when combined, particularly when it comes to AI and other efforts that require ample and ongoing experimentation and learning.
Still, “it shouldn’t be pursued solely because it seems like a good idea. People should use devops/DevSecOps where it makes sense, where there is a need,” Spafford said.
Particularly compared to the waterfall methodology – a linear approach to project management in which each stage must be completed before moving onto the next – agile is beneficial in situations where there is ambiguity about needs or rapid change is occurring. Waterfall’s Achille’s heel, Spafford said, is that users must identify requirements up front when needs are the least understood. This means that a project plan is created with a massive amount of work in process and dependencies.
Agile allows developers to focus their efforts on customer outcomes and perform regular releases with “the backlog of features being groomed to reflect the latest lessons learned,” Spafford said.
“This is a powerful approach because it enables a step curve delivery of customer value, learning and continual improvement,” Spafford said.
But organizations must also consider the disadvantages: Overcoming existing culture and getting people to learn and change. These can be addressed, Spafford noted, but they must be considered from the start and throughout the process.
And ultimately, devops and DevSecOps “are not a progression that you start with one and then move to the other,” Spafford said. “In either case, start small, learn, improve, demonstrate value and grow the footprint.”
Growing concept, adoption
As security vulnerabilities increase, DevSecOps is becoming more defined as a concept, as well as growing in adoption.
According to Emergen Research, the global DevSecOps market will reach $23.42 billion in 2028. That’s up a significant 32.2% compound annual growth rate (CAGR) from $2.55 billion in 2020.
This tracks with the growth of the devops market, which is expected to register more than 20% gains from 2022 to 2028, according to Global Market Insights. The firm expects the segment to increase from roughly $7 billion to more than $30 billion over that period.
A rising need for repeatable and adaptive processes, custom code security and automated monitoring and testing is driving this growth, Emergen reports. And a growing number (and iteration) of platforms and tools are emerging – from the likes of Unisys, Kryptowire, Red Hat, and Rackner.
Increased protection in an ‘ugly’ landscape
“DevSecOps is no longer an option” – it is a necessity,” Bell said. Likewise, “security is not an afterthought.” Rather, it should be integrated at every phase of the devops development cycle.
O’Malley agreed, pointing out that the common practice has been to tack security onto software at the end of the development cycle.
This wasn’t a significant issue until new development practices including agile and devops became ever more prevalent as a means to reduce development cycles, he pointed out. Amidst this adoption, the tacking-on approach created many delays or was skipped altogether to push new features out to clients, thus creating further security gaps.
DevSecOps is “becoming even more critical,” O’Malley said, underscoring that, “It’s ugly out there in security.”
Notably, hackers have become smarter and more sophisticated. They are increasingly developing ways to directly bypass multifactor authentication through access points in public clouds, apps, mobile and IoT devices; to directly target organizations and force them to pay ransom; and to use so-called “stalkerware” apps to record conversations, location and everything a user types, “all while camouflaged as a calculator or calendar,” O’Malley said.
He also pointed to the mainstreaming of cloud computing as a factor. As predicted by Gartner, 70% of all enterprise workloads will be deployed to the cloud by 2023, up from 40% in 2020. What’s more, businesses across industries are expected to have at least nine different cloud environments by 2023.
Hosting data and apps in so many places adds a level of complexity that can make it difficult to manage cloud security operations (or CloudSecOps). And while it has numerous benefits – not the least of which are cost and flexibility – the cloud also opens more entry points. Organizations have larger areas to secure, and with access not limited to physical location, “anyone and everyone is a potential threat,” O’Malley said.
Attackers can use third-party apps, employee credentials and bots to gain access, thus increasing the need for modern cybersecurity measures.
The shift to remote work and continuous digital transformation have increased organizations’ vulnerabilities, Bell pointed out. Secure apps and continuous updates allow companies to adapt to this without opening themselves up to attack.
“Companies that deploy DevSecOps solutions will experience fewer fire drills in later stages and deliver safer, higher quality code,” Bell said. “Pushing a development project through production and creating technical debt is a recipe for disaster.”
Achieving ‘cyber resiliency’
When it comes to protection, proper tooling is crucial, Bell said.
Automated release management is an essential aspect of every DevSecOps strategy. This is the process of planning and working through the application development pipeline – from the earliest preparation stages, to development, to testing, to deployment, to continued monitoring after release.
Continuous integration and continuous deployment (CI/CD) tools help to strengthen testing processes, shoring up potential areas of attack before the production stage, Bell said. Data backup tools can also be employed to automatically route data to its proper location and maintain a consistent interface for both employees and customers.
Protection also comes down to helping employees become more “cyber resilient.”
From communicating best practices such as updated user permissions, to implementing strong passwords, to reinforcing the ability to spot phishing attempts, Bell underscored that “open communication is key to success.”
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.